Living Room Smoke Detector
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a coherent local smoke-alert helper, with user-visible notes around a Dirigera token, cron scheduling, local audio commands, and unverified TLS to the hub.
This appears purpose-aligned, but install it only if you want a cron-based local alarm that uses your Dirigera token and Mac speaker. Verify the hub IP, protect the token file, trust the audio tools, remove the cron entry if you uninstall it, and treat it only as a backup rather than a certified smoke alarm.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can authenticate to your Dirigera hub and read the device list/environment sensor values.
The script reads a local Dirigera token and uses it as a bearer token to query the hub. This is disclosed and purpose-aligned, but it is credentialed smart-home access.
TOKEN_FILE = os.path.expanduser("~/.openclaw/workspace/.dirigera_token") ... headers = {"Authorization": f"Bearer {token}"}Install only if this token path and hub access are intended; protect the token file and use the narrowest-scoped hub credential available.
On an untrusted or spoofed local network, the token-bearing request could be sent to the wrong endpoint.
The hub API connection disables TLS hostname and certificate verification while using a bearer token. This may be common for local self-signed IoT hubs, but it weakens endpoint identity checks.
ssl_context.check_hostname = False ssl_context.verify_mode = ssl.CERT_NONE
Use this only on a trusted LAN, verify the hard-coded hub IP, and prefer certificate validation or certificate pinning if the hub setup supports it.
The skill will run local macOS audio tools and ffmpeg to create or play the alert sound.
The script invokes local audio-generation and playback commands. This is central to the stated audible alert purpose and uses fixed argument lists rather than shell strings.
subprocess.run(['afplay', ALERT_SOUND_PATH] ...); subprocess.run(['say', '-v', 'Samantha' ...]); subprocess.run(['ffmpeg', '-y', '-i', aiff ...])
Ensure 'afplay', 'say', and 'ffmpeg' are expected and installed from trusted sources before enabling the skill.
Once added to cron, the detector can keep running periodically and may keep playing alerts until the sensor reports normal air quality.
The skill documents recurring cron execution and a long-running alert loop. This is disclosed and purpose-aligned for an alarm, but it is persistent behavior the user must intentionally manage.
Add to crontab to check every 5 minutes ... Loops until cleared - keeps playing every 5 seconds until air quality normalizes
Only add the cron entry deliberately, remove it when uninstalling, and consider a lock/single-instance guard to avoid overlapping runs during a long alert.